From 1699bf4e29a3ba42362c340520ed97efc313366d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ferenc=20W=C3=A1gner?= <wferi@debian.org>
Date: Thu, 18 Apr 2019 16:06:04 +0200
Subject: [PATCH] Let remote_tempdir() assume a NUL-terminated name

This is the case already.  We also fix a buffer overflow opportunity in
the memcpy() call by this change.
---
 lib/ipc_int.h    |  2 +-
 lib/ipc_us.c     | 11 +++++------
 lib/ipc_shm.c    |  2 +-
 lib/ipc_us.c     |  4 ++--
 lib/ipcs.c       |  2 +-
 5 files changed, 10 insertions(+), 11 deletions(-)

--- libqb.git.orig/lib/ipc_int.h
+++ libqb.git/lib/ipc_int.h
@@ -208,6 +208,6 @@
 int32_t qb_ipcs_process_request(struct qb_ipcs_service *s,
 	struct qb_ipc_request_header *hdr);
 
-void remove_tempdir(const char *name, size_t namelen);
+void remove_tempdir(const char *name);
 
 #endif /* QB_IPC_INT_H_DEFINED */
--- libqb.git.orig/lib/ipc_us.c
+++ libqb.git/lib/ipc_us.c
@@ -401,7 +401,7 @@
 	unlink(c->request.u.us.shared_file_name);
 
 	/* Last-ditch attempt to tidy up after ourself */
-	remove_tempdir(c->request.u.us.shared_file_name, PATH_MAX);
+	remove_tempdir(c->request.u.us.shared_file_name);
 
 	close(c->request.u.us.sock);
 	close(c->event.u.us.sock);
@@ -952,7 +952,7 @@
 	munmap(c->request.u.us.shared_data, sizeof(struct ipc_us_control));
 	unlink(c->request.u.us.shared_file_name);
 
-	remove_tempdir(c->request.u.us.shared_file_name, PATH_MAX);
+	remove_tempdir(c->request.u.us.shared_file_name);
 
 	close(c->request.u.us.sock);
 	close(c->event.u.us.sock);
@@ -976,16 +976,15 @@
 	s->needs_sock_for_poll = QB_FALSE;
 }
 
-void remove_tempdir(const char *name, size_t namelen)
+void remove_tempdir(const char *name)
 {
 #if defined(QB_LINUX) || defined(QB_CYGWIN)
 	char dirname[PATH_MAX];
-	char *slash;
-	memcpy(dirname, name, namelen);
+	char *slash = strrchr(name, '/');
 
-	slash = strrchr(dirname, '/');
-	if (slash) {
-		*slash = '\0';
+	if (slash && slash - name < sizeof dirname) {
+		memcpy(dirname, name, slash - name);
+		dirname[slash - name] = '\0';
 		/* This gets called more than it needs to be really, so we don't check
 		 * the return code. It's more of a desperate attempt to clean up after ourself
 		 * in either the server or client.
--- libqb.git.orig/lib/ipcs.c
+++ libqb.git/lib/ipcs.c
@@ -541,7 +541,7 @@
 				qb_ipcs_connection_unref(c);
 			}
 		}
-		remove_tempdir(c->request.u.us.shared_file_name, PATH_MAX);
+		remove_tempdir(c->request.u.us.shared_file_name);
 	}
 }